The SEC’s Office of Compliance Inspections and Examinations (OCIE) released a cybersecurity-related risk alert on September 15, 2020 (Risk Alert), regarding the risk of “credential stuffing” attacks against investment advisers and broker-dealers (collectively, Registrants). Credential stuffing is a method of cyber-attack in which the attackers obtain lists of compromised login credentials from the so-called “dark web” (e.g., lists of usernames, email addresses and passwords), and then use automated scripts to try the compromised login credentials on other websites in an effort to log in to accounts and gain access to customer accounts. Successful credential stuffing attacks allow cyber-attackers to: gain unauthorized access to customer accounts; access firm systems; steal customer assets; access confidential information; obtain additional login information to sell on the dark web; and/or take over customer or employee accounts to pursue other unauthorized purposes.

The Risk Alert makes clear that OCIE has observed an increase in the frequency of credential stuffing attacks against Registrants, including some successful credential stuffing attacks that resulted in the loss of customer assets and unauthorized access to customer information. OCIE observed in the Risk Alert that credential stuffing is emerging as a more effective method for attackers to access customer accounts and firm systems than traditional “brute force” password attacks, in which attackers attempt to guess user passwords by trying numerous combinations. In light of the increased risk to Registrants, OCIE stated that it issued the Risk Alert to highlight the issue and provide its observations on the practices that Registrants have taken to prevent these types of cyber-attacks.

This Dechert OnPoint summarizes OCIE’s observations with respect to the risk of credential stuffing attacks and sets forth the practices that OCIE has observed Registrants have taken to help protect their firms against credential stuffing attacks.

Summary of OCIE’s Observations

OCIE observed that Registrants’ “information systems, particularly Internet-facing websites, face an increased risk of a credential stuffing attack.” Websites are more vulnerable to a cyber-attack because they can be used to initiate transactions, transfer funds, or obtain customers’ personal information. OCIE noted that successful attacks occur more often when “(1) individuals use the same password or minor variations of the same password for various online accounts, and/or (2) individuals use login usernames that are easily guessed, such as email addresses or full names.”

In light of the risks stemming from successful credential stuffing attacks, OCIE recommended that Registrants review and update their cybersecurity and identity theft prevention policies and programs to address credential stuffing.

How Firms Have Protected Against Credential Stuffing Attacks

OCIE identified a number of practices that Registrants have implemented in an effort to protect client information and accounts against credential stuffing cyber-attacks, including:

• Review of Policies and Procedures. OCIE observed that Registrants had conducted periodic reviews of policies and programs, with a specific focus on updating password policies to ensure that passwords have adequate “strength, length, type and change of password practices.”
• Multi-Factor Authentication (MFA). OCIE observed that Registrants had used MFA to prevent credential stuffing attacks. MFA requires multiple factors and identity verification methods to authenticate the identity of the person seeking to log-in to an account. Verification methods used for MFA might include personal security questions, one-time passwords sent via text or email, fingerprint scanning or facial recognition. OCIE found that when properly implemented, MFA can offer “one of the best defenses to password-related attacks and significantly decrease the risk of an account takeover.”
• Completely Automated Public Turing Test to Tell Computers and Humans Apart (CAPTCHA). OCIE observed that some Registrants deployed a CATPCHA to verify that users are human before allowing users to log in to their accounts. Because credential stuffing attacks rely on automatic scripts or bots to access customer accounts, the deployment of a CAPTCHA can successfully prevent such attacks by requiring users to confirm that they are human and not running a script. A CAPTCHA requires users to prove that they are human by performing a required action (e.g., identifying pictures of a particular object within a grid of pictures or identifying words or numbers within a distorted image) before logging into the user’s account.
• Controls to Detect and Prevent Attacks. OCIE observed that Registrants have implemented a number of controls to detect and prevent credential stuffing attacks, including: monitoring for a high number of login attempts or higher number of failed login attempts; using a Web Application Firewall; and making controls available to users to mitigate damage if the user’s account is compromised (such as restricting access to fund transfers or personal information).
• Dark Web Monitoring. OCIE observed that some Registrants have surveilled the dark web for lists of leaked user IDs and passwords.

OCIE also encouraged firms to review their current practices, and noted that even though firms generally mandate that customer and staff use strong passwords, those passwords are less effective if they are used across sites. OCIE noted that some firms have engaged in additional messaging regarding the importance of strong passwords and changing such passwords when there is any indication they have been compromised. OCIE further explained that while MFA is helpful, the use of text messages for MFA is “not foolproof.” OCIE noted that some firms have alerted account owners and staff to situations where a bad actor may have fraudulently attempted to transfer their mobile phone number to a separate device.

Key Takeaways

In light of the increased risk of credential stuffing attacks, Registrants should review and evaluate their current customer account protection safeguards and cybersecurity practices, to consider whether any updates to such programs are necessary in order to adequately protect against such attacks. Registrants also should consider whether customers and employees are adequately informed about how they can secure their accounts and prevent cyber-attacks, as well as the importance of observing strong password practices.